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Abstract 


This  report  presents  instructions  for  using  the  Malware-driven  Overlooked 
Requirements  (MORE)  website  applications.  The  site  enables  requirements 
engineers  and  architects  to  bring  the  benefit  of  malware  attack  analysis  to  their  own 
product  development.  They  can  examine  reports  of  exploited  vulnerabilities, 
frequently  augmented  by  relevant  misuse  cases,  use  cases,  and  overlooked  security 
requirements  (MUO)  that  site  contributors  have  posted.  From  this  data  they  can 
search  the  site  to  identify  security  requirements  suitable  to  their  own  projects.  They 
can  also  contribute  related  content  and  new  reports. 

Users  can  interact  with  the  site  through  two  applications  documented  here.  The 
Security  Requirement  Finder  (SERF)  allows  site  contributors  to  build  on  malware 
exploit  reports,  add  MUOs  while  referencing  Common  Weakness  Enumeration 
(CWE).  The  Report  Writer  application  connects  to  SERF  and  aids  contributors  in 
adding  MUOs  to  the  exploit  reports. 

Instructions  on  performing  these  activities  in  both  applications  are  presented  here,  as 
well  as  guides  for  performing  admin  tasks  associated  with  the  applications. 
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Introduction 


Report  Writer  and  Security  Requirement  Finder  (SERF)  are  applications  through  which  users 
interact  with  the  Malware-driven  Overlooked  Requirements  (MORE)  website.  The  MORE  site 
presents  a  list  of  malware  attack  reports  and  the  vulnerabilities  that  made  those  attacks 
possible.  Such  reports  enable  those  who  are  building  applications  to  learn  of  malware  attacks 
others  have  undergone  and  the  security  requirements  they  can  build  into  their  projects  to 
prevent  such  attacks.  Report  Writer  is  an  application  used  by  the  exploit  report  writers  that 
connects  to  SERF  to  help  in  adding  misuse  cases,  use  cases,  and  overlooked  security 
requirements  (MUO)  to  the  exploit  reports. 

This  user  manual  explains  the  activities  that  various  users  can  perform  in  Report  Writer  and  the 
steps  they  must  take  to  complete  them. 

Roles 

Three  primary  roles  engage  with  the  Report  Writer  application: 

1.  public  user 

2.  report  writer 

3.  reviewer 

There  is  also  one  admin  super  user.  The  features  accessible  to  each  of  these  roles  are 
described  in  this  section. 


Public  Users 

Who  is  a  public  user? 

A  public  user  is  someone  who  is  about  to  build  an  application,  such  as  a  requirements  engineer 
or  an  architect.  If  you  are  such  a  user,  you  will  want  to  be  aware,  before  you  start  to  build,  of 
malware  attacks  your  application  might  face.  You  can  go  to  the  Report  Writer  web  application  to 
read  about  malware  attacks  that  others  have  reported. 


What  actions  can  you  perform  with  Report  Writer? 

As  of  now,  a  public  user  can  only  search  and  view  reports  hosted  in  this  system. 


How  will  I  access  the  Report  Writer  application? 

Open  a  browser  and  type  in  the  following  URL:  http://report-writer.herokuapp.com/ 

This  will  open  the  home  page  of  the  application,  as  shown  in  Figure  1.  You  will  see  a  search  bar 
in  the  lower  half  of  this  home  page  that  you  can  use  to  search  for  reports. 
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Report  Writer 


Log  in  Register 


MORE 

Malware-driven  Overlooked  REquirements 

This  site  is  meant  to  guide  requirement  engineers  in  identifying  security  requirements  appropriate  for  their 
project  The  site  focuses  on  exploited  vulnerabilities  resulting  from  design  flaws.  For  each  new  publicly 
posted  exploited  vulnerability,  contributors  can  identify  and  provide  a  misuse  case,  use  case  and  the 
overlooked  security  requirement(s)  that  created  the  vulnerability.  This  helps  requirements  engineers  avoid 
these  and  potentially  other  vulnerabilities  in  their  systems.  Please  register  to  use  and  enjoy. 

Register  Now 


Vou  have  signed  out 


Search 


Figure  1 

How  can  I  search  for  reports  in  the  Report  Writer  application? 

There  are  two  ways  to  search  for  reports: 

•  In  the  search  bar,  type  in  any  text  from  the  title  of  a  specific  report  and  search  for  the 
report  matching  the  text. 

•  Browse  through  existing  reports  and  select  one  or  more  that  interests  you. 

Regarding  the  first  method,  let’s  say  you  came  to  know  that  PHPWiki  was  attacked  by  some 
kind  of  malware.  You  want  more  information  on  this  particular  attack,  so  you  type  PHPWiki  in 
the  search  bar  and  click  “Search”.  You  will  see  the  reports  that  match  this  search  text.  (See 
Figure  2.) 
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PHPWikj 


Phpwiki  Ploticus  Remote  Code  Execution  July  25, 2015, 10:31p.m. 

the  Ploticus  module  in  Phpwiki  1.5.0  allows  remote  attackers  to  execute  arbitrary  code  via  command  injection, 

Read  more,,. 


Figure  2 

Regarding  the  second  method,  if  you  don’t  have  the  application  name  to  search,  you  can  simply 
scan  through  the  reports  and  pick  the  one  that  interests  you.  Click  “Search”  without  typing 
anything  in  the  search  field.  The  system  will  show  you  every  report  hosted  in  Report  Writer. 

(See  Figure  3.) 


ReportWriter 


‘arch  Reports, 


Log  in  Register 


HP  AutoPass  License  Server  File  Upload  July  25, 2015, 1030  p-m. 

This  module  exploits  a  code  execution  flaw  in  HP  AutoPass  License  Server.  It  abuses  two  weaknesses  in  order  to  get  Us  objective.  First,  the  AutoPass  application  doesn't 
enforce  authentication  in  the  CommunicationServlet  component  Second,  it’s  possible  to  abuse  a  directory  traversal  when  uploading  files  thorough  the  same  component, 
allowing  to  upload  an  arbitrary  payload  embedded  In  a  JSF.  The  module  has  been  tested  successfully  on  HP  AutnPass  license  Server  £.01  as  installed  with  HP  Service 
Virtualization  3.50. 

Read  more,.. 

Phpwiki  Plot ic us  Remote  Code  Execution  July 25. 2015. 1031  p.m. 

The  Plobcus  module  in  Phpwiki  1.5.0  allows  remote  attackers  to  execute  arbitrary  code  via  command  injection. 

Read  more... 


Figure  3 

Next,  you  can  open  the  file  and  read  it.  To  do  this,  click  on  “Read  more...”  at  the  bottom  of  each 
report.  The  whole  report  opens.  (See  Figure  4.) 
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Re  port  Writer 


login  Register 


Report-00002:  Ph  p wiki  Plotkus  Remote  Code  Execution  July  23.  201S.  10:31  p,m. 

The  Ploticus  module  in  PhpWiki  1,5.0  allows  remote  attackers  to  execute  arbitrary  code  via  command  injection. 


LWE  -UD:  Improper  NeutraEiration  of  Special  fcleimcnls  used  in  an  SQL  Command  f’SQl  Injection') 

ClflE-Ti:  I  improper  Neutralization  of  Special  fc  lemcnts  used  in  an  OS  Command  ('OS  Command  Injection') 


Misuse  Case 


Use  case 


Description 

There  is  no  sanity  check  on  accepting  the  text  from  the  input  field 


Description 

All  the  input  fields  are  validated  on  form  submission. 


Primary  Actor 
Malicious  user 


Primary  Actor 
User 


Secondary  Actor 
Target  Application 


Secondary  Actor 
Application 


Pre-condition 

The  malicious  user  has  opened  the  application. 


Pre-condition 

User  has  opened  the  application  (system). 


Flow  of  events 

1.  The  malicious  User  opens  a  form  that  has  a  Input  text  Held, 

I.  The  malicious  user  inputs  the  arbitrary  malicious  code  via  shell  meta -characters. 
3.  The  malicious  submits  the  form 


Flow  of  events 

1.  User  opens  a  form  that  has  an  input  text  field. 

2.  User  Inputs  the  invalid  text  In  the  input  fields. 

3.  User  submits  the  form. 


Overlooked  Security  Requirement 

The  system  shall  validate  all  the  Input  fields  on  form  submission. 


Figure  4 

The  application  displays  the  following  fields  for  a  report. 

1.  Heading 

2.  Description 

3.  Common  Weakness  Enumerations  (CWEs)  and  their  IDs 

4.  Misuse  Case 

5.  Use  Case 

6.  Overlooked  Security  Requirements 

Now  we  will  explore  the  role  of  a  report  writer  who  creates  these  reports  and  makes  them 
available  to  the  public  user. 
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Report  Writers 

Who  is  a  report  writer? 

A  report  writer  is  someone  who  writes  malware/exploit  reports  and  contributes  to  the  report 
repository. 


I  can  view  public  reports.  Can  I  write  one  of  my  own? 

No.  To  write  a  report,  you  must  be  registered  in  the  system.  This  operation  mimics  the  behavior 
of  Rapid  7  (http://www.rapid7.com/db/),  wherein  all  public  users  can  see  all  the  reports  hosted  in 
the  system,  but  only  the  authorized  users  can  write  the  reports. 

These  reports  also  require  approval  from  the  reviewer,  but  we’ll  come  to  that  when  we  talk 
about  the  reviewer  role. 


Okay,  so  how  can  I  register? 

It’s  simple.  Open  the  application  using  the  following  URL:  http://report-writer.herokuapp.com/ 
Now  click  “Register”  on  top  right  corner.  The  following  screen  displays.  (See  Figure  5.) 


ReportWriter  lqe  in  Registi 


Sign  Up 

Already  have  an  account?  Then  please  sign  in. 

Username1 

[  K™. 

First  name4  Last  name  * 

Password*  Password  (again)* 

E-mail* 


lfm  a  human* 


Sign  Up 


Figure  5 
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Fill  in  your  details  and  click  “Sign  Up”.  After  you  submit  the  form,  the  following  screen  displays 
(See  Figure  6.) 


Figure  6 


The  next  step  is  to  go  to  your  inbox  and  find  an  email  from  reportwritinqapplication@qmail.com 
An  email  displays  as  shown  below.  (See  Figure  7.) 


Ql  Reply  l£*l  Reply  All  Q)  Forvvsrd 


Tue  9/22/2015  9:39  PM 

repoitwritingapplication@gmail.com 

[ReportWriter]  P lease  Confirm  Your  E  mail  Address 


To 


Hello  from  Report  Writer! 

You’re  receiving  this  e-maiF  because  user  writer_0O7  at  report- writer. hero kuapp.com  has  given  yours  as  an  e-mail  address  to  connect 
their  account 

To  confirm  this  is  correct,  go  to  https ://reco rt- wri te r. hero kua so. co m/a ccou nts/ co of i rm - 
email/wi  freaks  zpafi  kno  r  rna  dvbte  no  m  vk9pxnwf  vfl  544  e  u  mj9d4SBK5rOQf  r7da  2rk5li/ 

Thank  you  from  Report  Writer! 
repo  rt- write  r.  hero  kua  pp.  co  m 


Figure  7 

Click  the  link  to  confirm  your  email  address.  You  return  to  the  report  writing  application  and  the 
following  page  displays.  (See  Figure  8.) 


Report  Writ** 


LOf n  HffrUrf 


Confirm  E-mail  Address 

HtM#  jaredo  o@a  before  H  MMfHt  fw 


Confirm 


Figure  8 
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Click  “Confirm”.  The  following  page  displays.  (See  Figure  9.) 


You  have  confirmed  janedoe@abc.org. 


Sign  in  to  start  your  session 


I  forgot  my  password 
Register  a  new  account 


Figure  9 
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Now  that  I  have  registered,  can  I  log  in? 

Unfortunately  not.  There  is  an  extra  level  of  authentication  in  this  application  to  prevent  any 
arbitrary  user  from  writing  the  report.  If  you  try  to  log  in,  you  will  see  an  error  message.  (See 
Figure  10.) 


Sign  in  to  start  your  session 


Remember  Me 

I  forgot  my  password 
Register  a  new  account 


Sign  In 


Figure  10 
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So  what  must  I  do  to  be  able  to  write  a  report? 

You  must  now  wait  until  the  reviewer  receives  this  message  and  approves  your  request. 

(We’ll  show  you  how  the  reviewer  accepts  this  request  when  we  discuss  the  reviewer  role  in  the 
next  section.  For  now,  just  assume  that  the  reviewer  has  accepted  your  request.)  As  soon  as 
the  reviewer  accepts  your  request,  you  will  receive  an  email  as  shown  below  (See  Figure  1 1 .) 

Reply  Reply  All  Forward 


Tut  9/22/30 15  9;50PM 


Report  Writer  < reportwi  itingappiicatson@gmail.com> 


Registration  Request  Approved 


To 


Hello  from  ReportWriter! 

Dear  writer_007 

Your  request  to  register  at  re  port-writer,  he  rokuapp.com  has  been  approved. 

You  can  now  tog  in  to  your  account  through  ht t o : //re po r  t - ■ w d t or . he ro h ua pp, c otn/ac co u nt t/loe i n/ 

Thank  you  from  ReportWriter! 
re  po  ft  -writer,  he  ro  kua  pp,  co  m 


Figure  1 1 


When  you  receive  the  email  approval,  log  in  using  your  credentials.  The  dashboard  screen 
displays.  (See  Figure  12.) 


Home 


5 ite  admin  istra  tion  Applications  - 


Report 


+  Add 


Figure  12 
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How  do  I  write  a  report  now? 

Your  dashboard  shows  all  the  features  of  the  application  available  to  you  as  a  report  writer.  As 
of  now,  you  have  access  to  just  one  resource — reports.  (If  you  have  higher  access  in  this 
application,  you  will  see  more  resources/action  items  on  your  dashboard.) 

From  here  you  can  either 

•  see  how  many  approved  reports  are  there  in  the  system  by  clicking  “Reports”  in  the 
above  screen  or 

•  directly  add  a  new  report  by  clicking  the  “Add”  button  on  the  right 

1 .  To  view  approved  reports,  Click  “Reports”.  The  list  of  reports  displays. 

2.  From  this  list  of  all  approved  reports,  you  can  click  on  any  report  to  view  it.  The  reports 
with  all  the  details  display  as  shown  in  the  public  user  view. 

3.  Click  on  the  green  button  above  “Add  Report”. 

4.  A  page  opens  where  you  can  create  your  reports.  (See  Figure  13.) 


■ 

ReportWriter 

1 

Dashboard 

3  R«eni  Actions  - 

A  sankalp  - 

Home  Report  Reports  Add  Report 


Add  Report 


Name  Siitus 

/  Draft 

Title" 


Description* 


tWEs* 

Either  dick  'Suggest  cwEs'  to  get  tl 


Suggest  CWEs 


Write  my  own  Misuse  Case  and  Use  Case  I  Suggest  Misuse  Cases  and  Use  Cases 


Save  and  continue  editing 


Save 


Figure  13 


You  can  also  arrive  at  this  page  by  clicking  the  “Add”  button  from  the  report  list  screen.  Do  this  if 
you  want  to  add  a  new  report  without  first  viewing  the  list  of  all  approved  reports. 


CMU/SEI-201 6-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


14 


How  will  Report  Writer  provide  suggestions? 


■ 

RcportWriter 

I 

Dashboard 

'S)  Recent  Actions  * 

&  Sankalp  ~ 

Home  Report  Reports  Add  Report 


Add  Report 


ha  rate 

/ 


Status 

Draft 


Symantec  Endpoint  protection  Manager  Authentication  Bypass  and  Code  Execution 


This  module  exploits  three  separate  vulnerabilities  in  Symantec  Endpoint  Protection  Manager  In  order  to  achieve  a  remote  shell  on  the  box  as  NT  AUTHORlTY\SVST£M.  The 
vulnerabilities  Include  an  authentication  bypass,  a  directory  traversal  and  a  privilege  escalation  to  get  privileged  code  execution] 


CWEi* 

Either  i 

click  'Suggest  CWEs"  IP  get  the  suggest  CWE  b. 

ased  on  your  description  or  select  a  EWE  from  the  list 

v-j  5  Li&rT'si  CW  F  %  | 

write  my  own  m  tiose  case  a  nd  use  Case  ■  Suggest  Misuse  Cases  and  use  cases 


Save  and  continue  editing 


Save 


Figure  14 

Click  “Suggest  CWEs”.  The  system  will  pull  up  suggestions  by  parsing  your  text.  The 
suggestions  appear  as  shown  on  the  next  page.  (See  Figure  15.) 


*  REST  stands  for  Representational  State  Transfer.  REST  is  an  architecture  style  for  designing 
networked  applications.  It  relies  on  a  stateless,  client-server,  cacheable  communications  protocol — and  in 
virtually  all  cases,  the  HTTP  protocol  is  used.  REST  API  allows  for  seamless  integration  of  functionality 
between  applications. 

Elkstein,  M.,  2008.  “Learn  REST:  A  Tutorial.”  http://rest.elkstein.org/2008/02/what-is-rest.html 
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ReportWriter 


Dashboard 


*3  Recent  Actions 


A  Sankalp 


g 

1 

Home  Report  Report:  Add  Report 

Add  Report 


Name 


Status 


/ 


Draft 


Titile- 

Symantec  Endpoint  Protection  Manager  Authentication  Bypass  and  Code  Execution 

Pescnptkm’ 

This  module  exploits  three  separate  vulnerabilities  in  Symantec  Endpoint  Protection  Manager  in  order  to  achieve  a  remote  shell  on  the  box  as  NT  AUTHORITV^SVSTEM,  The 
vulnerabilities  include  an  authentication  bypass,  a  directory  traversal  and  a  privilege  escalation  to  get  pnvlleged  code  execution. 


CttEs- 

*  CWE-566:  Authorization  Bypass  Through  User-Controlled  SQL  Primary  Key  ■  CWE-535:  Information  Exposure  Through  Shell  Error  Message 
«  CWE-639:  Authorization  Bypass  Th  rough  User-C  ontrolled  Key  ■  CW£  -603:  Use  of  Cl  ient- Si  de  Authentic  atio  n 

*  CW  E-  305:  Authent  ication  Bypass  by  Pri  ma  ry  Weakness  ■  C  WE-4S4 :  Down  load  of  Code  Without  Integrity  Check 

*  CWE-650:  Trusting  HTTP  Permission  Methods  on  the  Server  Side  *  CWE-B:  J2EE  Misconfigu ration:  Entity  Bean  Declared  Remote 

*  CWE-3B5:  Covert  Timing  Channel  -  CWE-JOS:  Incorrect  Behavior  Order  Early  Amplification 


Suggest  twEs 


Write  my  own  Misuse  Case  and  Use  Case  I  Suggest  Misuse  Cases  and  Use  Cases 


Save  and  ton  ti  nue  editing 


Save 


Figure  15 

You  can  delete  the  CWE  suggestions  not  relevant  to  you.  You  can  even  add  new  ones  by  typing 
in  the  CWEs  box;  y  Additional  suggestions  will  appear.  (See  Figure  16.) 


Description* 

This  module  exploits  three  separate  vubierabi lilies  in  Symantec  Endpoint  Protection  Manager  in  order  to  achieve  a  remote  shell  on  the  box  as  NT  AUTHORlTY\ST$T!M,  The 
vulnerabilities  include  an  authentication  bypass,  a  directory  traversal  and  a  privilege  escalation  to  get  privileged  code  execution. 


Figure  16 


CMU/SEI-201 6-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


16 


When  you  have  finished  selecting  the  CWE  suggestions,  you  have  two  options. 
You  can  either 

•  request  suggestions  for  misuse  cases  and  use  cases  or 

•  write  one  of  your  own 


To  take  the  first  option,  click  on  “Suggest  Misuse  Cases  and  Use  Cases”.  The  suggested 
misuse  case  appears  in  a  Mac-Finder-like  view.  (See  Figure  17.) 


CWEl* 

*  tWE-566:  Authorization  Bypass  Through  User-Controlled  SQL  Penary  Key  *  CWE-535:  Information  Exposure  Through  Shell  Error  Message 

■  CWE-639:  Authorization  Bypass  Through  User-Controlled  Key  ■  CWE-003:  Use  of  Client-Side  Authentication 

■  CW  E-30S:  Authentication  By  pass  by  Prima  ry  weakness  *  Do wn  I  oa  d  of  Code  Without  integrity  thee  k 

CWE-5S0:  Trusting  HTTP  Permission  Methods  on  the  Server  Side  ■  CWE-E;  J2EE  Mistonfigu ration;  Entity  Bean  Declared  Remote 

*  CWE-3&5:  Covert  Timing  Chan  nel  *  C  WE-40S :  incorrect  Behavior  0  rden  Early  Ampllf  icatta  n 


Suggest  CWEs 


Misuse  Cases 

MU/00001 

Description 

The  user  Is  never  asked  forthe  authentication  even 
v.  -ren  ne  sne  is  changing  tne  state  of  the  server  e  g.  by 
uploading  fie  on  the  server. 


Close  1  Select 


Write  my  own  Misuse  Case  a  nd  Use  Case  I  Suggest  Misuse  Cases  a  nd  Use  Cases 


Figure  17 


Save  and  continue  editing 


Currently  one  misuse  case  appears  for  the  selected  CWE.  To  select  any  misuse  case,  click  it  in 
the  left  panel.  The  right  panel  populates  with  the  use  case  and  overlooked  security 
requirements.  (See  Figure  18.)  Select  one  of  these. 


CMU/SEI-201 6-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


17 


CWEs’ 


I  *  CWE-566:  Authorisation  Bypass  Through  U&er^Cont  rolled  SQL  Primary  Key  ■  CWE-535:  Information  Exposure  Through  Shell  E nor  Message 

C WE- 639:  Authorization  Bypass  Through  User-Controlled  Key  *  CWE’603:  Use  of  Client-Side  Authentication 

*  CWE-3QS:  Authentication  Bypass  by  Prima  ry  Weakness  ■  C  W  E  -494;  Download  of  Code  Without  I  ntegr tty  Chec  k 
C WE- 650:  Trusting  HTTP  Permission  Methods  on  the  Server  Side  -  CWE-8:  J2EE  Misconfiguration:  Entity  Bean  Declared  Remote 
‘  CWE-3BS:  Covert  Tl  mtng  Channel  *  CWE-4DBI  incorree  t  Behavior  Order  Ea  rly  Amplification 


Mtsuie  Cases 

* 

Use  Cases  £  Overlooked  Security  Requirements 

- 

MU/00001 

Use  Case:  VC/00001 

Description 

The  user  is  neve"  asaed  ro'tne  authentication  even 
when  ne  Vie  is  changing  the  state  of  t  he  serve?' e  g.  by 
up.oadmg  file  on  me  server 

Description 

Tne  use'  i  asxed  fo'the  autnen:  ca:  on  when  ne-  sne  is  changingcne  s:a;e  of  tne  serwreg  Dy 
u  pload :  ng  file  on  the  server. 

See  More 

primary  Actor 

User 

Suggest  CWEs 


Secondary  Actor 

Application 

Precondition 

User  nas  opened  the  aos.  cat'on  •system) 


■  I  !  I 

Write  my  own  M  isuse  Case  a  nd  Use  Case  I  Su  ggest  Misuse  Cases  and  Use  Cases 


Save 


Figure  18 

After  selecting,  you  can  save  the  report  by  first  clicking  on  “Select”  and  then  on  “Save”. 

The  text  areas  for  report  details  will  be  auto  populated  for  the  selected  Misuse  Case  and  Use 
case.  (See  Figure  19.) 
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cwtr 


*  CWE-S66:  Authorization  Bypass  Through  User-Controlled  SQL  Primary  Key  ■  CWE-535:  Information  Exposure  Through  Shell  Error  Message 

■  CWE-639:  Authorization  Bypass  Through  User-Controlled  Key  ■  CWE-&03;  Use  of  Client-Side  Authentication 

*  CWE'305:  Authentication  Bypass  by  Pri  ma  ry  Weakness  *  C WE-454:  Download  of  Code  Without  I  ntegrity  Check 

*  CWE-650:  Trusting  HTTP  Permission  Methods  on  the  Server  Side  *  CWE-S:  J2EE  Miscon figuration:  Entity  Bean  Declared  Remote 

*  CWE-365:  Coven  Timing  Channel  ■  CWE-400:  incorrect  Behavior  Order;  Early  Amplification 


suggest  cwes 


write  my  own  Misuse  Case  a  met  use  case  I  suggest  Misuse  cases  a  nd  u  se  Cases 


Misuse  Case: 


Use  Case; 


Dwcnptwn, 

The  user  is  never  asked  for  the  authentication  even  when  he/she  is  changing 
the  state  of  the  server  e.g.  by  uploading  file  or  the  server. 


Primary  actor 
Malicious  user 


Description 

The  user  Is  asked  for  the  authentication  when  he/she  is  changing  the  state  of 
the  server  e.g.  by  uploading  file  on  the  server. 


Primary  actor 

User 


Secondary  acior 

Application 


Pre-condition  Pre-condition 


Malicious  user  has  opened  the  application  (system)  and  has  the 
malidous/harmful  file  to  be  uploaded  onto  the  server. 

_ jf, 

User  has  opened  the  application  {system). 

flow  of  events 

Flow  of  events 

Figure  19 


Secondary  «6w 
Target  Application 


If  you  are  not  satisfied  with  the  suggested  misuse  case,  you  can  choose  to  write  one  of  your 
own.  Click  “Write  my  own  Misuse  Case  and  Use  Case”.  Additional  text  areas  appear  for  you  to 
fill  in  to  complete  the  report.  (See  Figure  20.) 
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Write  my 


Misuse  Case  and  Use  Case 


Suggest  Misuse  Cases  and  Use  Cases 


0«CT»pt«n 


Description 


Primary  actor 


Primary  actw 


Secondary  «tor 


Secondary  actor 


Post-condition 


Post-condition 


Figure  20 


After  completing  the  fields,  click  “Save”  to  save  the  report  as  a  draft.  The  previous  list  of  reports 
screen  appears.  (See  Figure  21.) 


Home  Report  Reports 


Select  Report  to  change 


4*  Add  Report 


(Search 


Search 


D 

Name 

Status 

□ 

Report -00004 

Draft 

0 

Report -00003 

Approved 

a 

Report ‘00001 

Approved 

Action:! 


0  of  3  selected 


Figure  21 


CMU/SEI-201 6-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


20 


To  submit  the  draft  report,  reopen  it  and  click  “Submit  for  Review”  at  the  bottom  of  the  screen. 


Your  report  will  be  saved,  and  all  the  fields  will  become  read-only.  The  report  is  now  awaiting 
approval  by  the  reviewer.  The  status  for  this  report  in  the  report  list  screen  will  be  “In  Review”. 


□  Name 

Status 

□  Report -OOJJ04 

in  Review 

0  Report- 00003 

Approved 

□  Report-00001 

Approved 

Action;  - — _  t  Oof  3  selected 

Figure  22 

Can  I  change  the  report  contents  after  submission? 

You  can,  but  only  before  it  is  approved.  First  go  to  the  bottom  of  the  report  and  click  “Reopen”. 
Your  report  reopens  and  you  can  make  your  changes  and  save  the  report  just  as  you  saved  it 
the  first  time.  (See  Figure  23.) 

Once  the  report  is  approved,  you  cannot  perform  further  action  on  it. 


Overlooked  Security  Requirement 

When  a  security'sensitive  functionality  is  used  by  the  user,  the  system  shall  ask  for  user  authentication. 


Reopen 

Figure  23 


How  will  I  know  that  my  report  has  been  accepted? 

You  will  receive  an  email  notifying  you  of  your  report’s  acceptance.  (See  Figure  24.)  Its  status 
will  change  to  “Approved”  in  the  report  list  screen. 
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Reply  (Qi  Reply  All  Q  Forward 


Tue  9/22/2015  10:50  PM 

Report  Writer  <repoitwritingapplication@gmail.com > 

Your  Report  has  been  accepted 


To 


Dear! 

Your  Report  Report-00003  has  been  accepted 

You  have  been  notified  because  you  set  yourself  as  a  listener  for  this  activity. 
To  make  changes,  please  edit  your  preferences 

-  Report  Writing  Application 

Figure  24 
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What  else  I  can  do  as  a  report  writer? 

You  can  view  and  change  your  profile.  To  do  this,  click  your  name  in  the  top  right  corner  and 
then  click  “My  Profile”.  (See  Figure  25.) 


Recent  Actions  •*  A  Sankalp  » 


My  Profile 
Logout 


Figure  25 


The  update  profile  page  displays. 

Here  you  can  do  the  following: 

1 .  Change  your  display  name. 

2.  Change  your  password. 

3.  Change  your  email  preferences. 

4.  Change  your  notification  settings. 

5.  Deactivate  your  account. 

(See  Figure  26.) 
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My  Profile 

Persanat  IfiforirmiCHi 

LMUlTft 

Jane 

Doe 

Hfltificati&fi  Siting* 

lj£  W*  R'tpo'i'S  tratpied 

P+j 

Owri  ivare  MyAocount 


Figure  26 


If  you  click  “Manage  My  Emails”,  you’ll  be  presented  with  options  to  add  another  email  to  this 
account,  remove  the  existing  one,  make  an  email  primary,  and  resend  verification  link.  (See 
Figure  27.) 


E-mail  Addresses 


The  following  e-mail  addresses  are  associated  with  your  account: 


*  janedoe@abc.org 


Verified  I  Primary 


Make  Primary  I  Re-send  Verification  I  Remove 


Add  E-mail  Address 

E-mail* 


Add  E-mai 


Figure  27 
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Reviewers 


Who  is  a  reviewer? 

A  reviewer  is  someone  who  approves  the  reports  so  that  they  can  be  made  available  to  the 
public. 


How  can  I  become  a  reviewer? 

You  must  register  in  the  same  manner  as  a  report  writer.  The  super  user  will  determine  if  you 
can  escalate  to  the  reviewer  access  level. 


What  can  I  do  as  a  reviewer? 

As  a  reviewer,  you  can  add/edit/view  CWEs,  view  issues  raised  for  some  reports,  and  approve 
the  reports.  You’ll  find  each  activity  explained  below. 


Reports 

If  you  click  Reports,  the  list  of  all  the  approved  reports  in  the  system  will  display.  Additionally, 
you  will  see  which  reports  are  awaiting  review. 


0  Name 

Status 

0  Report -0GCQ4 

In  Review 

0  Report -00003 

Approved 

D  Report  00001 

Approved 

To  approve  a  report,  open  an  In  Review  report.  At  the  bottom  of  the  report  screen,  click  the 
“Approve”  button.  The  report  is  approved  with  the  following  notification. 


You  have  approved  the  submission 


Nime 

Report- QG0Q4 


SCdttiS 

Approved 


Figure  28 


Report  rejection 

You  can  reject  or  unpublish  any  report.  You  might  choose  to  do  so  when  it  is  a  duplicate  of 
another  report,  is  incorrect,  or  uses  offensive  language.  To  reject  a  report,  open  it  and  click  on 
the  “Reject”  button.  A  pop-up  will  appear. 
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Figure  29 

In  the  pop-up,  type  in  the  reason  for  rejection  and  click  “Reject”.  The  report  is  rejected  and  a 
message  is  sent  to  the  author.  The  author  can  still  reopen  the  report  and  re-submit  it  by  making 
required  changes  that  you  prescribed. 

C  h  a  nge  Re  port  History 


Figure  30 


Report  publish/unpublish 

There  is  an  additional  button  on  every  approved  report.  It  is  called  “Unpublish”.  You  may  want  to 
take  a  report  offline  for  some  reason.  For  example,  you  may  learn  that  it  contains  errors  or 
offensive  language  or  is  a  duplicate,  but  still  slipped  through  to  publication.  In  such  cases  you 
would  unpublish  the  report. 

Once  the  MUO  is  unpublished,  you  can  either  publish  it  back  or  republish  it.  You  can  republish  it 
with  or  without  making  changes.  If  you  have  unpublished  it  in  error,  you  can  publish  it  back  as  it 
is. 
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CWE 


The  Report  Writer  has  a  list  of  CWEs  so  that  it  can  associate  its  reports  with  the  CWEs.  You 
can  access  those  CWEs  here.  Click  on  CWEs.  A  list  of  CWEs  in  the  system  displays.  (See 
Figure  31.) 


*  All  dales 


July  201 5 


September  2  D1 5 


U  CWE 


9  CWE-408:  Incorrect  Behavior  Order;  Early  Amplification 

□  CWE-3&5:  Covert  Timing,  Channel 

0  tm-8t  J  2  it  Misconflgu  ration:  Ent  Uy  Bean  Declared  Demote 


0  CWE-GSQ:  Trusting  HTTP  Permission  Methods  on  the  Server  Side 
0  CWE-G03:  Use  of  Client -Side  Authentication 
Q  CWE-G39:  Authodration  Bypass  Through  user  controlled  Key 

□  CWE-5BG:  Airlho  ri  ration  Bypass  Th  rou gh  User  Cont  rolled  SQL  Prima  ry  Key 

□  rtUL  JMH  Ifm  intAFfiFA  It  111  UIfmmwmI  it  »n  nf  fdllnl  ItiljtnH  if  3am 

Figure  31 


You  can  click  the  name  of  any  CWE  to  edit  it.  You  can  also  add  new  ones  to  the  system. 


Code" 

408 


Name' 

incorrect  Behavior  Order;  Early  Amplification 


Delete 


Save  and  continue  editing 


Save 


Figure  32 


Super  User 

A  super  user  is  someone  who  has  the  highest  level  of  access  in  the  application.  (See  Figure 
33.) 
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ReportWriter 


Dashboard 


Recant  Actions 


A  admin 


Home 


Site  administration  Applications  - 


Accounts 


Email  addresses 

+  Add 

Email  confirmations 

+  Add 

Accounts  Invitation 

Email  invitations 

+  Add 

Authentication  and  Authorization 

Groups 

+  Aid 

users 

+  Add 

Report 

CWEs 

■+  Add 

Issue  Reports 

+  Add 

Reports 

+  Add 

REST  API 


REST  Configuration 


Sites 

Sites  +  Add 

Figure  33 

The  only  difference  between  the  super  user  and  the  admin  is  that  the  admin  role  is  created  by 
the  super  user.  In  the  REST  API,  the  admin  will  be  able  to  save  the  SERF  (REST  API)  URL. 
The  admin  can  also  set  the  Token  on  this  same  screen.  (See  Figure  34.)  This  token  is  used  for 
authenticating  Report  Writer  with  the  MORE  application.  Without  this  token,  the  Report  Writer 
application  wouldn’t  be  able  to  consume  the  web  service.  Note  that  this  is  just  one  set  of  the 
REST  API  settings.  You  can  only  edit  it;  you  cannot  add  new  ones. 


UrT 

httpsj/enhanced-cwe.h^okuappxomyspl/vi 

Token* 

d9cd«lee2902Clf  1825436Td  15a79562d0a31f2 


Save  and  continue  editing 


Save 


Figure  34 


CMU/SEI-201 6-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


28 


Report  Writer  Admin  Guide 
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Report  Writer  Admin  Guide 
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Introduction 

This  document  is  the  admin  guide  for  the  web-based  Report  Writer  application.  It  describes  the 
detailed  steps  the  application  admin  must  follow  to  accomplish  application  and  user- 
management  tasks. 

The  document  is  divided  into  two  major  sections: 

1 .  Common  Scenarios:  This  section  describes  the  frequently  mentioned  pages  and 
common  operations  that  can  be  shared  by  all  the  tasks,  such  as  how  to  add,  change  or 
delete  an  item. 

2.  Tasks:  This  section  describes  the  detailed  steps  for  accomplishing  the  application  and 
user  management  tasks  that  the  application  admin  may  need  to  perform,  such  as  how  to 
approve  a  user’s  registration. 


Intended  Audience 

This  document  is  intended  for  the  admin  of  the  Report  Writer  application. 


Common  Scenarios 

Throughout  the  document,  certain  concepts  and  web  pages  are  mentioned  frequently.  They  are 
listed  and  defined  in  this  section. 


Pages 

Home  page 

The  home  page  is  the  first  page  users  see  when  they  enter  the  website  URL.  It  displays  the  title 
and  a  brief  introduction  to  the  website.  (See  Figure  1 .) 
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ReporEWriter 


Log  in  Register 


Malware-driven  Overlooked  REquirements 


This  site  is  meant  to  guide  requirement  engineers  in  identifying  security  requirements  appropriate  for  their 
project.  The  site  focuses  on  exploited  vulnerabilities  resulting  from  design  flaws.  For  each  new  publicly 
posted  exploited  vulnerability,  contributors  can  identify  and  provide  a  misuse  case,  use  case  and  the 
overlooked  security  requirement(s)  that  created  the  vulnerability.  This  helps  requirements  engineers  avoid 
these  and  potentially  other  vulnerabilities  in  their  systems.  Please  register  to  use  and  enjoy. 


Register  Now 


Figure  1 :  Home  page 


Dashboard  Page 

After  you  log  in,  the  dashboard  page  appears,  which  lists  all  manageable  items.  (See  Figure  2.) 
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ReportWriter  =  Dashboard  3  Recent  Actions  ▼  &  admin  ▼ 


Home 

Site  administration  Applications -r 


Accounts 


Email  addresses 

+  Add 

Email  confirmations 

+  Add 

Accounts  Invitation 

Email  invitations 

+  Add 

Authentication  and  Authorization 

Groups 

+  Add 

Users 

+  Add 

Figure  2:  Dashboard  Page  (partial  view) 


Common  Administration  Operations 

The  Report  Writer  website  is  created  with  a  consistent  look  and  feel  for  management 
operations,  so  the  management  of  different  functions  looks  very  similar.  Each  function  is 
explained  below. 

The  typical  management  operations  include  the  following: 

-  Add:  Add  a  new  instance,  such  as  a  user  group. 

-  Save:  Save  the  current  modification. 

Modify:  Modify  the  information  of  an  existing  instance. 

Delete:  Delete  an  existing  instance. 

As  an  example,  the  management  of  user  groups  will  serve  to  show  how  to  perform  addition, 
modification,  or  deletion  in  the  website.  Beyond  user  groups,  the  four  operations  above  can  be 
applied  to  other  managed  entities,  including  the  following: 

•  email  addresses,  email  confirmations,  and  email  invitations 

•  groups  and  users 
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•  CWEs,  issue  reports,  and  reports 

•  sites 

•  user  profiles 


Add 

You  can  add  a  user  group  in  one  of  two  ways:  through  “Add”  in  the  dashboard  page  or  the  “Add” 
button  in  the  group  list  page. 


In  the  dashboard  page,  locate  “Groups”  in  the  “Authentication  and  Authorization”  section.  There 
is  a  “+Add”  button  on  the  right-hand  side.  Click  it  to  open  the  group  adding  page. 

Authentication  and  Authorization 


Groups 


+  Add 


Users 


+  Add 


Figure  3:  Add  a  group 


Alternatively,  you  can  click  the  “Groups”  name  first  to  open  the  group  list  page,  then  click  the 
“Add  group”  button  to  open  the  group  adding  page.  (See  Figure  4  and  Figure  5.) 

Authentication  and  Authorization 


+  Add 

Users 

+  Add 

Figure  4:  Click  “Groups” 

ReportWriter  =  Dashboard 

3  Recent  Actions  ▼  A  admins 

Home  Authentication  And  Authorization  Groups 

Select  group  to  change 

+  Add  group 

Search 

Figure  5:  Click  “Add  group”  to  open  the  group  adding  page 


Modify 

To  modify  a  group’s  settings,  follow  the  steps  below: 

1 .  In  the  dashboard  page,  navigate  to  the  group  list  page  through  “Authentication  and 
Authorization”  ->  “Groups”.  (See  Figure  4  above.) 
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2.  In  the  group  list,  click  the  name  of  the  group  for  which  information  is  to  be  changed.  The 
Change  group  page  opens.  (See  Figure  6  and  Figure  7.) 


Action: 


Go 


0  of  1  selected 


□  Group 


□ 


default_group 


Figure  6:  Click  the  group’s  name 


Home  Authentication  And  Authorization  Groups  default_group 


Change  group 


History 


Name* 

default_group 


Available  permissions  © 

Chosen  permissions© 

contenttypes  |  content  type  |  Can  add  content  type 
contenttypes  |  content  type  |  Can  change  content  type 
contenttypes  |  content  type  |  Can  delete  content  type 
report  |  CWE  |  Can  add  CWE 
report  |  CWE  |  Can  change  CWE 

-**»**».+  1  /~iaic  1  r\uc. 

auth  |  user  |  Can  add  user 
auth  |  user  |  Can  change  user 
auth  |  user  |  Can  delete  user 

invitation  |  email  invitation  |  Can  add  email  invitation 

Choose  all  ©  q  O  Remove  all 

o 

Hold  down  "Control",  or  "Command"  on  a  Mac,  to  select  more  than  one. 


|VT  Auto  Assign 


Figure  7:  The  Change  group  page  opens 


Delete 

There  are  two  ways  to  delete  a  user  group:  delete  selected  user  groups  or  delete  the  opened 
user  group. 

To  delete  the  selected  user  groups,  follow  the  steps  below: 

1 .  In  the  dashboard  page,  navigate  to  the  user  group  list  through  “Authentication  and 
Authorization”  ->  “Groups”. 

2.  Select  all  the  user  groups  to  be  deleted. 

(See  Figure  8  and  Figure  9.) 
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ReportWriter 


Dashboard 


Home  Authentication  And  Authorization  Groups 


Select  group  to  change 


+  Add  group 


Action:  - - i)  Go  2  of 2  selected 

0  Group 

(yj  default_group 
my_group 

Figure  8:  Select  user  group  for  deletion 

3.  Select  “Delete  selected  groups”  from  the  drop-down  list. 

Home  Authentication  And  Authorization  Groups 


Select  group  to  change 


+  Add  group 


Actio  i 


/  Delete  selected  groups 


- 


Go 


2  of  2  selected 


Figure  9:  Delete  user  group 


4.  Click  the  “Go”  button.  A  confirmation  page  displays. 

5.  Click  “Yes,  I’m  sure”  to  delete  all  the  selected  groups,  or  click  “No,  take  me  back”  to 
return  to  the  group  list  page. 


To  delete  the  opened  user  group,  follow  the  steps  below: 

1 .  In  the  dashboard  page,  navigate  to  the  user  group  list  through  “Authentication  and 
Authorization”  ->  “Groups”. 

2.  Click  the  group  name  to  open  the  group. 

3.  In  the  group  page,  click  the  “Delete”  button. 

4.  Click  “Yes,  I’m  sure”  to  delete  this  group,  or  click  “No,  take  me  back”  to  return  to  the 
group  page. 
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Save 


You  can  save  a  group  that  has  been  edited  by  using  any  of  these  three  buttons:  “Save  and  add 
another”,  “Save  and  continue  editing”,  or  “Save”. 

These  three  buttons  are  usually  visible  in  the  group  detail  page.  However,  “Save  and  add 
another”  is  only  visible  when  you  are  adding  a  new  group. 

The  function  of  each  button  is  described  below: 

•  Save  and  add  another:  The  currently  edited  group  is  saved  and  a  page  with  all  the 
fields  of  the  default  values  displays  so  you  can  add  another  group. 

•  Save  and  continue  editing:  The  currently  edited  group  is  saved  and  remains  open.  You 
can  continue  editing  its  information. 

•  Save:  The  currently  edited  group  is  saved.  The  group  list  page  displays. 


Tasks 

This  section  describes  the  steps  for  completing  the  tasks  you  perform  most  frequently. 


Log  in 

To  log  in  to  the  system,  follow  the  steps  below: 

1 .  Open  the  home  page  of  the  website. 

2.  Click  the  “Log  in”  button  on  the  top-right  corner. 


Login  Register 


Figure  10:  Log  in 

3.  Enter  your  username  and  password. 


Sign  in  to  start  your  session 


admin 


Remember  Me 


I  forgot  my  password 
Register  a  new  account 


Figure  11:  Sign  in 
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4.  Click  the  “Sign  In”  button. 

5.  When  the  dashboard  page  displays,  you  have  logged  in  successfully. 


Log  out 

To  log  out  of  the  system,  follow  the  steps  below: 

1 .  In  any  page,  click  the  user  icon  in  the  top-right  corner.  A  drop-down  menu  displays. 


View  site 
My  Profile 
Log  out 


Figure  12:  Log  out 


2.  Click  “Log  out”. 

3.  A  confirmation  page  displays  to  confirm  that  you  intend  to  log  out. 


Are  you  sure  you  want  to  sign  out? 


Sign  Out 


Figure  13:  Confirm  logout 

NOTE:  If  you  do  not  wish  to  log  out,  click  the  “Dashboard”  button  on  the  top  of  the  page  to 
return  to  the  dashboard  page. 

4.  Click  “Sign  Out”. 

5.  The  home  page  displays.  The  “Log  in”  button  displays  on  the  top-right  corner,  which 
means  you  have  logged  out  successfully. 
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Repo  it  Writer 


Login  Register 


MORE 

Malware-driven  Overlooked  REquirements 

This  site  is  meant  to  guide  requirement  engineers  in  identifying  security  requirements 
appropriate  for  their  project.  The  site  focuses  on  exploited  vulnerabilities  resulting  from 
design  flaws.  For  each  new  publicly  posted  exploited  vulnerability,  contributors  can 
identify  and  provide  a  misuse  case,  use  case  and  the  overlooked  security  requirement(s) 
that  created  the  vulnerability.  This  helps  requirements  engineers  avoid  these  and 
potentially  other  vulnerabilities  in  their  systems.  Please  register  to  use  and  enjoy. 

Register  Now 


Vou  have  signed  out. 


Search 


Copyright  ©  2015  ReportWriter.  All  rights  reserved. 


Figure  14:  Home  page 


Approve  New  User’s  Registration 

Scenario:  The  user  has  registered  and  verified  his/her  email,  but  still  cannot  log  in. 

To  approve  a  user’s  registration,  follow  the  steps  below: 

1 .  In  the  dashboard  page,  navigate  to  “Accounts"  ->  “Email  addresses”. 

2.  In  the  email  address  list,  click  the  email  address  to  be  approved.  The  value  of  the 
“Admin  approval”  of  this  email  should  be  “Pending”. 

3.  In  the  “Change  email  address”  page,  click  “Approve”  to  approve  this  email  address. 

(See  Figure  15.) 


CMU/SEI-201 6-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


41 


User* 


0*  johndoe 


Admin  approval: 

Pending 


3 


E-mail  address* 


johndoe|@andrew. cmu.edu 


(yf  Primary  (yf  Verified 

Created  at: 

Oct.  24,  2015,  8:45  p.m. 

Modified  at:  Modified  by: 

Oct.  24, 2015,  8:45  p.m.  (None) 


Delete 

Reject 

Approve  j 

Save  and  continue  editing 


Save 


Figure  15:  Approve  email  address 


4.  After  the  email  address  is  approved,  a  message  displays. 


The  email  address  "johndoe@andrew.cmu.edu  (johndoe)"  has  been  approved. 


Figure  16:  Email  address  approval  confirmation 


5.  The  user  can  now  log  in. 

Alternatively,  follow  the  steps  below  if  you  wish  to  reject  the  registration  of  the  user: 

1 .  In  Step  3,  click  “Reject”. 

2.  Enter  the  reason  for  rejecting  the  user’s  registration  in  the  pop-up  dialog. 

Rejectjohndoe@example.com  (johndoe) 


Figure  17:  Reject  registration 
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3.  Click  “Reject”. 

4.  The  following  message  displays. 


This  request  has  been  rejected  :  This  is  a  personal  email.  Please  use  an 
organizational  email  to  register. 


Figure  18:  Rejection  email 

5.  The  user  receives  an  email  that  explains  why  the  request  is  rejected. 


Privilege  Management 


Group  Management 


To  add  a  group,  follow  the  steps  below: 

1 .  In  the  admin  dashboard,  navigate  to  “Authentication  and  Authorization”  ->  “Groups”. 

2.  In  the  group  list  page,  click  “Add  group”. 

3.  In  the  “Add  group”  page,  enter  the  group  name. 

4.  In  the  “Permissions”  list  box,  select  the  permissions  that  should  be  assigned  to  the 
group. 


Permissions 


Available  permissions© 

1  Filter 

ewe 

ewe 

Category 

Category 

Can  add  Category 

Can  change  Category 

ewe 

Category 

Can  delete  Category 

ewe 

Category 

Can  view  Category 

Figure  19:  Select  group  permissions 


5.  Click  the  right  arrow  to  assign  the  selected  permissions  to  the  user. 
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Before 

permission 

assignment: 


Permissions 


Available  permissions © 


Choose  all 


After  permission 
assignment: 


Chosen  permissions© 
ewe  |  Category  |  Can  add  Category 
ewe  |  Category  |  Can  change  Category 
ewe  |  Category  |  Can  view  Category 


Figure  20:  Assign  group  permissions 


6.  If  the  a  user  should  be  automatically  assigned  to  this  group,  choose  one  or  more  of  the 
following: 

a.  Auto  Assign:  This  group  will  be  automatically  assigned  to  any  registered  user. 

b.  Auto  Assign  to  Clients:  This  group  will  be  automatically  assigned  to  any 
registered  client. 

c.  Auto  Assign  to  Contributors:  This  group  will  be  automatically  assigned  to  any 
registered  contributor. 

7.  Click  “Save”  to  save  the  permission  assignment. 

To  modify  a  group’s  configuration,  follow  the  steps  below: 

1 .  In  the  admin  dashboard,  navigate  to  “Authentication  and  Authorization”  ->  “Groups”. 

2.  In  the  group  list  page,  click  the  group  name. 

3.  Modify  the  permissions  or  the  automatic  assignment  options  in  the  way  described  above. 

4.  Click  “Save”  to  save  the  modifications. 


User  Management 

To  manage  the  user’s  permissions,  follow  the  steps  below: 

1 .  In  the  admin  dashboard,  navigate  to  “Authentication  and  Authorization”  ->  “Users”. 
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2.  In  the  user  list  page,  click  the  user’s  name. 

3.  In  the  “Change  user”  page,  scroll  down  to  the  “Permissions”  section. 

4.  In  the  “User  permissions”  list  box,  select  the  permissions  to  be  assigned  to  the  user. 

User  permissions 


Available  user  permissions© 

|  Filter 

ewe 

ewe 

Category 

Category 

Can  add  Category 

Can  change  Category 

ewe 

Category 

Can  delete  Category 

ewe 

Category 

Can  view  Category 

Figure  21:  Select  user  permissions 


5.  Click  the  right  arrow  to  assign  the  selected  permissions  to  the  user. 


User  permissions 

Available  user  permissions  q 


Choose  alt 


Figure  22:  Before  permission  assignment 


Chosen  user  permissions© 
ewe  |  Category  |  Can  add  Category 
ewe  |  Category  |  Can  change  Category 
ewe  |  Category  |  Can  view  Category 


Choose  all  ^ 

Q 

Figure  23:  After  permission  assignment 


Remove  all 
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6.  Click  “Save”  to  save  the  permission  assignment. 


REST  API  Management 

Because  the  Report  Writer  application  must  communicate  with  the  SERF  server  via  REST  API, 
you  must  manage  REST  configuration  so  the  Report  Writer  application  can  function  correctly. 

To  manage  the  REST  API  configuration,  follow  the  steps  below: 

1 .  In  the  admin  dashboard,  navigate  to  “REST  API”  ->  “REST  Configuration”. 

2.  In  the  “Change  REST  Configuration”  page 

a.  In  “Url”,  enter  the  URL  of  the  SERF  server  plus  “/api/vl”.  Please  do  not  append 
7”  after  “vl”. 

b.  In  “Token”,  enter  the  token  that  is  obtained  after  registering  as  a  client  in  SERF. 

Url* 

http://localhost:8080/api/vl 


Token* 

f9a62blc40ff2a42325cbadec77cfc2351807898 

Figure  24:  Change  REST  configuration 

3.  Click  “Save”  to  save  the  site  information. 
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Introduction 


Security  Requirement  Finder  (SERF)  is  an  application  that  allows  contributors  to  add  misuse 
cases,  use  cases,  and  overlooked  security  requirements  (MUO)  to  listed  security  vulnerabilities 
associated  with  reported  malware  attacks  (Common  Weakness  Enumeration).  By  enabling  the 
report  writers  to  provide  reports  with  increased  comprehensive  content  in  a  certain  format, 

SERF  also  enables  the  requirement  engineers  and  system  architects  who  view  the  reports  to 
prevent  the  same  security  issues  from  recurring. 

This  document  is  the  user  manual  for  the  SERF  website.  It  describes  the  detailed  steps  users 
should  take  to  accomplish  their  everyday  tasks. 

Roles 

Four  primary  roles  will  use  the  Security  Requirements  Finder  Application: 

1.  public  user 

2.  contributor 

3.  reviewer 

4.  client 

There  is  also  one  admin  super  user  associated  with  the  SERF  Application.  Please  refer  to  the 
SERF  Admin  guide  for  more  information  about  the  operations  an  admin  can  perform.  This 
SERF  user  manual  only  lists  the  features  specifically  accessible  to  a  public  user,  contributor, 
and  reviewer. 

Public  User 

Who  is  a  public  user? 

A  public  user  is  any  user  who  wishes  to  view  the  existing  use  cases,  misuse  cases,  and 
overlooked  security  requirements  in  the  application.  This  user  might  be  a  requirements  engineer 
or  a  software  architect  who  is  writing  or  listing  the  requirements  for  a  software  project.  He  or  she 
can  either  search  for  a  particular  MUO  related  to  a  specific  Common  Weakness  Enumeration 
(CWE)  or  view  all  the  existing  MUOs  in  the  system.  The  instructions  below  are  geared  to  the 
public  user. 

Viewing  existing  MUOs 

To  view  the  existing  MUOs,  perform  the  following  steps: 

1.  Launch  the  URL  http://serf-sei.herokuapp.com/ 

The  following  page  displays.  (See  Figure  1.) 
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GetMUOs 


Figure  2 


3.  Click  the  “Get  MUOs”  button.  The  existing  MUOs  display.  Ideally  the  screen  should  appear  as 
below.  (See  Figure  3.)  To  view  additional  MUOs,  scroll  down  the  left  and  right  panes. 
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Misuse  Cases 


Use  Cases  &  Overlooked  Security  Requirements 


MU/00001  July  25,2015, 10:19  p.m. 

Description 

The  user  is  never  asked  for  the  authentication  even  when 
he/she  is  changing  the  state  of  the  server  e.g.  by 
uploading  file  on  the  server. 

See  More 

MU/00002  July  25, 2015, 10:21p.m. 

Description 

There  is  no  sanity  check  on  accepting  the  text  from  the 
input  field. 


Use  Case:  UC/00001  July  25, 201S,  10:19  p.m. 

Description 

The  user  is  asked  for  the  authentication  when  he/she  is  changing  the  state  of  the  server  e.g.  by  uploading  file 
on  the  server. 

Primary  Actor 

User 

Secondary  Actor 
Application 

Pre-condition 

User  has  opened  the  application  (system). 

Flow  of  Events 


Figure  3 


Searching  existing  MUOs 

As  a  public  user,  you  can  also  search  for  an  MUO  by  typing  the  name  of  any  relevant  CWE  you 
are  aware  of.  When  you  type  the  CWE,  the  screen  displays  a  list  of  related  CWEs  from  which  to 
choose.  The  list  looks  similar  to  the  one  below.  (See  Figure  4.) 


CWE-302:  Authentication  Bypass  by  Assumed-Immutable  Data 
CWE-304:  Missing  Critical  Step  in  Authentication 
CWE-306:  Missing  Authentication  for  Critical  Function 
CWE-307:  Improper  Restriction  of  Excessive  Authentication  Attempts 
CWE-308:  Use  of  Single-factor  Authentication 
uploading  file  on  the  server. 

rnnflMAn 

Figure  4 

For  example,  when  you  type  Authentication,  a  list  of  CWEs  related  to  Authentication  displays  as 
shown.  You  can  choose  one  of  them  and  view  the  related  MUOs  for  the  selected  CWE. 


loaded. 

ded. 


Contributors  and  Reviewers 

Any  public  user  who  wishes  to  contribute  to  the  website  can  do  so  in  one  of  the  following  ways: 

•  Become  a  contributor  and  write  MUOs. 

•  Become  a  reviewer  and  review  the  MUOs. 
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Contributor 

Should  you  wish  to  become  a  contributor,  you  must  first  register  as  contributor  and  then  log  into 
the  system.  The  registration  process  is  explained  below. 

Registration 

To  register  as  a  contributor,  follow  the  steps  below: 

1 .  Click  on  the  “Register”  button  in  the  top  right  corner  as  shown  below.  (See  Figure  5.) 


SERF  Log  in  Register 

MORE 

Malware-driven  Overlooked  REquirements 


Figure  5 

2.  A  screen  like  the  one  below  will  appear.  (See  Figure  6.)  Fill  in  your  details  and  make  sure  you 
choose  your  role  as  a  contributor. 

Sign  Up 

Already  have  an  account?  Then  please  sign  in. 

Username* 

First  name*  Last  name* 

Password*  Password  (again)* 

E-mail* 

Role* 

©  Contributor  O  Client 

I'm  a  human* 


Figure  6 
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3.  After  entering  your  details,  make  sure  you  click  the  “Sign-Up”  button,  which  is  located  at  the 
bottom  left  of  the  page.  (See  Figure  7.) 


Sign  Up 


Figure  7 

A  typical  completed  form  displays  as  below.  (See  Figure  8.) 

Username* 

Contributor 

First  name*  Last  name* 

John  Doe 

Password*  Password  (again)* 

E-mail* 

john.doe@gmail.com 

Role* 

0  Contributor  Q  Client 


I'm  a  human* 


SignUj 


Figure  8 

4.  After  you  sign  up,  the  page  below  displays.  (See  Figure  9.)  You  receive  a  confirmation  link 
through  the  email  address  with  which  you  registered. 


EnhancedCWE  Login  Register 


Confirmation  e-mail  sent  to  swati.priyam20@gmail.com. 


Verify  Your  E-mail  Address 

We  have  sent  an  e-mail  to  you  for  verification.  Follow  the  link  provided  to  finalize  the  signup  process.  Please  contact  us  if  you  do  not  receive  it  within  a  few  minutes. 

Figure  9 

5.  Follow  the  steps  mentioned  in  the  email  that  you  receive  and  confirm  your  email  address. 
After  you  confirm,  a  web  page  displays.  (See  Figure  10.) 


CMU/SEI-201 6-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


55 


Your  registration  request  is  pending  for  admin 
approval 


Sign  in  to  start  your  session 


[  forgot  my  password 
Register  a  new  account 


Figure  10 

6.  Wait  for  the  admin  to  approve  your  registration.  You  will  receive  an  email  notifying  you  when 
admin  approval  is  complete. 

7.  After  the  admin  approves,  you  are  set  to  perform  all  operations  as  a  contributor! 


After  login 

After  you  register  successfully,  the  dashboard  displays.  (See  Figure  1 1 .)  You  can  see  CWE  and 
MUO  listed  on  the  dashboard. 
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EnhancedCWE  =  Dashboard 


■D  Recent  Actions  ▼  A  John 


Home 

Site  administration  Applications  ~ 


Successfully  signed  in  as  Contributor. 


CWE  (Common  Weakness  Enumeration) 

CWEs 

Categories 

MUO  (Misuse  Cases,  Use  Cases  &  Overlooked  Security  Requirements) 

MUO  Containers  +Add 

Figure  1 1 


Actions  performed  by  a  contributor 
CWEs  and  Category 

1 .  A  contributor  can  view  existing  CWEs  and  category  information  stored  in  the  system. 
(See  Figure  12.) 

Home  CWE  (Common  Weakness  Enumeration) 

CWE  (Common  Weakness  Enumeration)  administration  Applications  ▼ 


CWE  (Common  Weakness  Enumeration) 

CWEs 

Categories 


Figure  12 


2.  A  list  of  CWEs  displays.  (See  Figure  13.) 
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CWE 

CWE-99:  Improper  Control  of  Resource  Identifiers  ('Resource  Injection') 

CWE-98:  Improper  Control  of  Filename  for  Include/Require  Statement  in  PHP  Program  ('PHP  Remote  File  Inclusion') 

CWE-97:  Improper  Neutralization  of  Server-Side  Includes  (SSI)  Within  a  Web  Page 

CWE-96:  Improper  Neutralization  of  Directives  in  Statically  Saved  Code  ('Static  Code  Injection') 

CWE-95:  Improper  Neutralization  of  Directives  in  Dynamically  Evaluated  Code  ('Eval  Injection') 

CWE-942:  Overly  Permissive  Cross-domain  Whitelist 
CWE-941:  Incorrectly  Specified  Destination  in  a  Communication  Channel 
CWE-940:  Improper  Verification  of  Source  of  a  Communication  Channel 
CWE-93:  Improper  Neutralization  of  CRLF  Sequences  ('CRLF  Injection') 

CWE-927:  Use  of  Implicit  Intent  for  Sensitive  Communication 
CWE-926:  Improper  Export  of  Android  Application  Components 
CWE-925:  Improper  Verification  of  Intent  by  Broadcast  Receiver 
CWE-921:  Storage  of  Sensitive  Data  in  a  Mechanism  without  Access  Control 

Figure  13 

3.  As  contributor,  you  can  select  a  particular  CWE  to  view  or  change.  An  example  of  a  particular 
CWE  appears  below.  (See  Figure  14.) 

CWE 

Code: 

99 

Name: 

Improper  Control  of  Resource  Identifiers  ('Resource  Injection') 

Description: 

The  software  receives  input  from  an  upstream  component,  but  it  does  not  restrict  or  incorrectly  restricts  the  input  before  it  is  used  as  an  identifier  for  a  resource  that  may  be 
outside  the  intended  sphere  of  control. 


Categories 


Categories: 


Figure  14  (partial  view) 
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keywords 


Keywords: 

improp,  inject,  control,  resourc,  incorrectli,  restrict,  sphere,  outsid,  compon,  softwar,  intend,  upstream,  identifi,  may,  receiv,  input,  use 


Get  Keywords  Suggestions 


Figure  14  (partial  view) 

4.  Each  CWE  is  related  to  one  or  more  keywords.  As  a  contributor,  you  can  suggest  a  new 
keyword  by  adding  the  keyword  suggestion  and  clicking  the  “Request  Suggestions”  button.  The 
keyword-stemming  algorithm  will  change  the  keyword  to  a  smaller  form  as  shown  below.  For 
example,  if  you  suggest  adding  “Authentication”  the  algorithm  will  stem  it  as  “Authent”,  after 
which  you  can  add  that  keyword  in  the  system.  (See  Figure  15.) 


Get  Keywords  Suggestions 

Authentication 


Figure  15 


MUO  Containers 

1 .  You  can  add  a  new  MUO  container  by  clicking  “Add  MUO  Container”.  There  are  two  ways  to 
do  this. 

The  first  is  to  click  the  “+Add”  button.  (See  Figure  16.)  This  button  is  available  on  the 
dashboard. 
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MUO  (Misuse  Cases,  Use  Cases  &  Overlooked  Security  Requirements) 

MUO  Containers  +Add 


Figure  16 


The  second  way  is  to  click  “Add  MUO  Container”,  which  appears  after  you  click  the  “MUO 
Containers”  button  that  appears  on  the  dashboard.  (See  Figure  17.) 

Home  Muo  (Misuse  Cases,  Use  Cases  &  Overlooked  Security  Requirements)  MUO  Containers 


Select  MUO  Container  to  change 


+  Add  MUO  Container 


Search  Filter  ▼ 


<2015 


Name 

Status 

MU  0/00002 

Approved 

MUO/00001 

Approved 

Figure  17 

2.  To  start  writing  a  new  MUO,  you  must  first  select  a  related  CWE.  Do  this  by  either  typing  the 
name  of  a  specific  CWE  into  the  search  box  or  by  using  the  “Search”  button  functionality 
provided  to  the  right  of  the  search  box. 

The  Misuse  Case  Type  is  set  to  New  by  default  as  a  new  MUO  is  being  written.  Provide  a  brief 
description  of  the  MUO  you  are  about  to  explain.  (See  Figure  18.) 


Name: 

/ 


Cwes’ 


fwE... 

Misuse  Case  Type* 

Q 

New 

* 

Brief  Description 

Figure  18 
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Now  describe  the  misuse  case  in  detail  by  identifying  the  primary  actor,  secondary  actor,  pre¬ 
condition,  post-condition,  flow  of  events,  assumption,  and  source.  Typical  forms  resemble  those 
below.  (See  Figure  19  and  Figure  20.) 


Primary  actor 


Secondary  actor 


Pre-condition 


Figure  19 


3.  Add  a  use  case  relevant  to  the  misuse  case  you  just  described.  The  fields  required  for  adding 
a  use  case  are  similar  to  the  misuse  case  fields.  Enter  the  brief  description,  primary  actor, 
secondary  actor,  pre-condition,  flow  of  events,  post-condition,  assumption,  and  source.  (See 
Figure  20.) 
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#1  (Use  Case) 


Name: 


/ 


Brief  description 


Primary  actor 


Secondary  actor 


Pre-condition 


Flow  of  everts 


PncLrnnHiMnn 

Figure  20 


4.  After  writing  the  misuse  case  and  use  case(s),  write  the  overlooked  security  requirement. 
First,  choose  a  type  of  overlooked  security  requirement,  which  can  be  one  of  the  following: 
Ubiquitous,  Event-Driven,  Unwanted  Behavior  and  State-Driven.  Then  write  the  overlooked 
security  requirement  that  you  deem  appropriate.  (See  Figure  21.) 
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Please  note  that  you  can  write  more  than  one  use  case  for  a  particular  misuse  case,  but  in  each 
use  case  you  must  mention  the  overlooked  security  requirement  mentioned  to  complete  the 
MUO  Container  entry. 


Overlooked  security  requirements  pattern  type* 


Figure  21 

After  you  have  written  the  MUO  entry,  save  it  by  clicking  the  “Save”  button. 


t*  Add  another  Use  Case 


Save 


Figure  22 

After  saving  your  MUO,  submit  it  for  review  by  clicking  the  “Submit  for  Review”  button.  This 
button  is  visible  only  after  you  have  saved  the  MUO  once. 


+  Add  another  Use  Case 


Figure  23 

After  an  MUO  is  submitted  for  review,  all  the  reviewers  in  the  system  are  notified.  You  must  wait 
for  your  MUO  to  be  accepted  or  rejected. 


Reviewer 

An  admin  can  assign  any  contributor  to  be  a  reviewer.  Please  see  the  SERF  Admin  Guide  to 
learn  how  an  admin  can  grant  reviewer  rights  to  a  contributor.  If  you  obtain  both  contributor 
rights  and  reviewer  rights,  you  can  review  the  MUO  that  is  submitted  for  review,  approve/reject 
it,  and  notify  the  submitter  by  sending  a  relevant  message. 
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Client 


SERF  provides  the  REST  API  to  the  Report  Writer  application  and  other  similar  applications 
(e.g.,  Rapid7  and  ExploitDB).  To  access  the  API,  Report  Writer,  and  similar  applications,  the 
user — or  any  person  representing  the  user — must  register  as  client  with  the  SERF  to  get  the  API 
token.  (Once  the  user  or  user  representative  registers  as  client,  an  API  key/token  is  provided  to 
access  the  APIs,  which  is  used  to  authenticate  when  these  applications  access  the  API.) 

To  register  as  client,  select  “Client”  under  Role  on  the  registration  page.  (See  Figure  24.) 

Sign  Up 

Already  have  an  account?  Then  please  sign  in. 


Username* 


Username 

First  name* 

Last  name* 

First  name  _ _ _ 

Password* 

Password  (again)* 

Password 

Password  (again) 

E-mail* 

Sign  Up 


Figure  24 

After  your  registration  as  client  is  confirmed,  you  can  log  in  to  the  SERF  application  and  copy 
your  REST  API  authentication  token.  Do  this  by  clicking  “Tokens”.  (See  Figure  25.) 

Authtoken 

Tokens  +Add 

Figure  25 

When  you  click  “Tokens”,  your  key  displays.  (See  Figure  26.) 
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1-1  Key 

□  57d5636b37960d4  DatcOSd  5  f 91 1 80  839493 e7  89G 

Figure  26 

As  client,  you  can  copy  this  key  and  use  it  in  your  Report  Writer  Application’s  REST  API 
settings,  for  a  seamless  communication  with  SERF  over  REST  API. 

Should  this  key  become  compromised,  you  can  change  it  from  this  same  screen.  In  this  case, 
you  must  update  the  key  at  your  end  also  (i.e.,  in  the  Report  Writer  application). 


CMU/SEI-201 6-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


65 


CMU/SEI-2016-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY  66 

Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


Security  Requirements  Finder  Admin  Guide 


CMU/SEI-2016-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


67 


CMU/SEI-2016-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY  68 

Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


Security  Requirements  Finder  (SERF)  Admin  Guide 

Table  of  Contents 


Introduction . 71 

Intended  Audience . 71 

Common  Scenarios . 71 

Pages . 71 

Home  page . 71 

Dashboard  Page . 72 

Common  Admin  Operations . 73 

Add . 74 

Modify . 75 

Delete . 76 

Save . 77 

Tasks . 78 

Login . 78 

Logout . 78 

Approve  New  User’s  Registration . 80 

Invite  New  User . 82 

Create  an  Invitation . 82 

Re-send  Invitation . 83 

Access  Rights  Management . 84 

Group  Management . 84 

User  Management . 85 

Site  Management . 87 


CMU/SEI-201 6-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


69 


CMU/SEI-2016-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY  70 

Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


Introduction 


This  document  is  the  admin  guide  for  the  web-based  application  Security  Requirement  Finder 
(SERF).  It  describes  the  detailed  steps  the  application  admin  must  follow  to  accomplish 
everyday  tasks. 

The  document  is  divided  into  two  major  sections: 

1 .  Common  Scenarios:  This  section  describes  the  frequently  mentioned  pages  and 
common  operations  that  can  be  shared  by  all  the  tasks. 

2.  Tasks:  This  section  describes  the  detailed  steps  for  accomplishing  the  everyday  tasks 
that  the  website  admin  may  need  to  perform. 


Intended  Audience 

This  document  is  intended  for  the  admin  of  the  SERF  website. 


Common  Scenarios 


Throughout  the  document,  certain  concepts  and  web  pages  are  mentioned  frequently. 

They  are  listed  and  defined  in  this  section. 

Pages 

Home  Page 

The  home  page  is  the  first  page  users  see  when  they  enter  the  website  URL.  It  displays  the  title 
and  a  brief  introduction  of  the  website.  (See  Figure  1.) 
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SERF 


Logiin  Register 


MORE 

Malware-driven  Overlooked  REquirements 

This  site  is  meant  to  guide  requirement  engineers  in  identifying  security  requirements  appropriate  for  their 
project.  The  site  focuses  on  exploited  vulnerabilities  resulting  from  design  flaws.  For  each  new  publicly 
posted  exploited  vulnerability,  contributors  can  identify  and  provide  a  misuse  case,  use  case  and  the 
overlooked  security  requirement(s)  that  created  the  vulnerability.  This  helps  requirements  engineers  avoid 
these  and  potentially  other  vulnerabilities  in  their  systems.  Please  register  to  use  and  enjoy. 


Register  Now 


Get  MUOs 


Copyright  2015  SERF.  All  rights  ffSetvfi 

Figure  1 :  Home  page 


Dashboard  Page 

After  logging  in,  you  are  redirected  to  the  dashboard  page,  which  lists  all  manageable  task 
areas.  (See  Figure  2.) 
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SERF  =  Dashboard 


3  Recent  Actions 


£  admin 


Home 


Site  administration  Applications  ~ 


Accounts 


Email  addresses 

+  Add 

Email  confirmations 

+  Add 

Accounts  Invitation 

Email  invitations  4*  Add 


Authentication  and  Authorization 


Groups 

+  Add 

Users 

+  Add 

Figure  2:  Dashboard  Page  (partial  view) 


Common  Admin  Operations 

The  SERF  website  is  created  with  a  consistent  look  and  feel,  so  the  management  of  different 
functions  looks  very  similar.  Each  function  is  explained  below. 

The  typical  management  operations  include  the  following: 

-  Add:  Add  a  new  instance,  such  as  a  user  group. 

Save:  Save  the  current  modification. 

Modify:  Modify  the  information  of  an  existing  instance. 

Delete:  Delete  an  existing  instance. 

As  an  example,  the  management  of  user  groups  will  serve  to  show  how  to  perform  addition, 
modification,  or  deletion  in  the  website.  Beyond  user  groups,  the  four  operations  listed  above 
can  be  applied  to  other  managed  entities,  including  the  following: 

•  email  addresses,  email  confirmations,  and  email  invitations 

•  groups  and  users 

•  tokens 
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•  CWEs,  categories,  and  keywords 

•  issue  Reports  and  MUO  Containers 

•  sites 

•  user  profiles 

Add 

You  can  add  a  user  group  in  one  of  two  ways:  through  “Add”  in  the  dashboard  page  or  by 
clicking  the  “Add”  button  in  the  group  list  page. 

In  the  dashboard  page,  locate  “Groups”  in  the  “Authentication  and  Authorization”  section.  There 
is  a  “+Add”  button  on  the  right  side.  Click  it  to  open  the  group-adding  page.  (See  Figure  3.) 

Authentication  and  Authorization 


Groups 


+  Add 


Users 


+  Add 


Figure  3:  Add  a  group 

Alternatively,  you  can  click  the  “Groups”  name  first  to  open  the  group  list  page,  then  click  the 
“Add  group”  button  to  open  the  group-adding  page.  (See  Figure  4  and  Figure  5.) 

Authentication  and  Authorization 


Groups 


Users 


Figure  4:  Click  the  “Groups” 


+  Add 
+  Add 


Home  Authentication  And  Authorization  Groups 


Select  group  to  change 


+  Add  group 


Search 


Action:  I - - tj  Go  0  of  1  selected 

Figure  5:  Click  “Add  group”  to  open  the  group  adding  page 
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Modify 


To  modify  a  group’s  settings,  follow  the  steps  below: 

1 .  In  the  dashboard  page,  navigate  to  the  group  list  page  through  “Authentication  and 
Authorization”  ->  “Groups”.  (See  Figure  4  above.) 

2.  In  the  group  list,  click  the  name  of  the  group  for  which  information  is  to  be  changed.  The 
“Change  group”  page  opens.  (See  Figure  6  and  Figure  7.) 


I )  Go 


Action: 


0  of  1  selected 


Q  Group 


□ 


default_group 


Figure  6:  Click  the  group’s  name 


Home  Authentication  And  Authorization  Groups  default_group 

Change  group 


History 


Name* 

default_group 


Available  permissions© 

Chosen  permissions© 

account  |  email  address  |  Can  add  email  address 
account  |  email  address  |  Can  change  email  address 
account  |  email  address  |  Can  delete  email  address 
account  |  email  confirmation  |  Can  add  email  confirmation 
account  |  email  confirmation  |  Can  change  email  confirmation 

- *.  1 - si  ^ - *■» —  l  r- - I-I-*. - *1 - f- - — 

admin  |  log  entry  |  Can  add  tog  entry 
admin  |  log  entry  |  Can  change  log  entry 
admin  |  log  entry  |  Can  delete  log  entry 
auth  |  group  |  Can  add  group 

Choose  all  O  q 

Q 

Hold  down  "Control",  or  "Command"  on  a  Mac,  to  select  more  than  one. 


Remove  all 


Auto  Assign 


|v^  Auto  Assign  to  Clients 


$  Auto  Assign  to  Contributors 


Figure  7:  The  “Change  group”  page  opens 
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Delete 


When  a  client  unsubscribes,  you  must  delete  the  user  group.  There  are  two  ways  to  delete  a 
user  group:  Delete  selected  user  groups  or  delete  the  opened  user  group. 

To  delete  the  selected  user  groups,  follow  the  steps  below: 

1 .  In  the  dashboard  page,  navigate  to  the  user  group  list  through  “Authentication  and 
Authorization”  ->  “Groups”.  (See  Figure  8.) 

2.  Select  all  the  user  groups  to  be  deleted. 

Home  Authentication  And  Authorization  Groups 


Select  group  to  change 


+  Add  group 


Action: 


Go 


2  of  2  selected 


@f 

Group 

default_group 

my_group 

Figure  8:  Select  groups  to  be  deleted 

3.  Select  “Delete  selected  groups”  from  the  drop-down  list.  (See  Figure  9.) 


Home  Authentication  And  Authorization  Groups 


Select  group  to  change 


+  Add  group 


Actior 


/  Delete  selected  groups 


Go 


2  of  2  selected 


Figure  9:  Delete  selected  groups 


4.  Click  the  “Go”  button.  A  confirmation  page  displays. 

5.  Click  “Yes,  I’m  sure”  to  delete  all  the  selected  groups,  or  click  “No,  take  me  back”  to 
return  to  the  group  list  page. 
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To  delete  the  opened  user  group,  follow  the  steps  below: 

1 .  In  the  dashboard  page,  navigate  to  the  user  group  list  through  “Authentication  and 
Authorization”  ->  “Groups”. 

2.  Click  the  group  name  to  open  the  group. 

3.  In  the  group  page,  click  the  “Delete”  button. 

4.  Click  “Yes,  I’m  sure”  to  delete  this  group,  or  click  “No,  take  me  back”  to  return  to  the 
group  page. 


Save 

You  can  save  a  group  that  has  been  edited  by  using  any  of  these  three  buttons:  “Save  and  add 
another”,  “Save  and  continue  editing”,  or  “Save”.  (See  Figure  10.) 


Home  Authentication  And  Authorization  Groups  Add  group 

Add  group 

Name* 

Permissions 

Available  permissions© 

account  |  email  address  |  Can  add  email  address 
account  j  email  address  |  Can  change  email  address 
account  |  email  address  |  Can  delete  email  address 
account  |  email  confirmation  |  Can  add  email  confirmation 

Choose  all  ^  q  ^  Remove  all 

Hold  down  "Control",  or  "Command"  on  a  Mac,  to  select  more  than  one. 

Q  Auto  Assign 
Q  Auto  Assign  to  Clients 
Q  Auto  Assign  to  Contributors 


Chosen  permissions© 


Save  and  add  another 


Save  and  continue  editing 


Save 


Figure  10:  Save  an  edited  group 


These  three  buttons  are  usually  visible  in  the  group  detail  page.  However,  “Save  and  add 
another”  is  only  visible  when  you  are  adding  a  new  group. 


The  function  of  each  button  is  described  below: 

•  Save  and  add  another:  The  currently  edited  group  is  saved  and  a  page  with  all  the 
fields  of  the  default  values  is  displayed  so  you  can  add  another  group. 

•  Save  and  continue  editing:  The  currently  edited  group  is  saved  and  remains  open.  You 
can  continue  editing  its  information. 

•  Save:  The  currently  edited  group  is  saved.  The  group  list  page  displays. 
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Tasks 

This  section  describes  the  everyday  tasks  that  you  may  need  to  accomplish  as  admin. 


Login 

To  log  in  to  the  system,  follow  the  steps  below: 

1 .  Open  the  home  page  of  the  website. 

2.  Click  the  “Log  in”  button  on  the  top-right  corner. 


Login  Register 


3.  Enter  your  username  and  password. 


Sign  in  to  start  your  session 


I  forgot  my  password 
Registers  new  account 


Figure  1 1 :  Log  in 


4.  Click  the  “Sign  In”  button. 

5.  When  the  dashboard  page  displays,  you  have  logged  in  successfully. 


Log  out 

To  log  out  of  the  system,  follow  the  steps  below: 

1 .  In  any  page,  click  the  user  icon  on  the  top-right  corner.  A  drop-down  menu  displays. 
(See  Figure  12.) 
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“S  Recent  Actions  ▼  &  admin  ▼ 


View  site 
My  Profile 
Log  out 

Figure  12:  Click  “Log  out” 

2.  A  confirmation  page  displays  to  confirm  that  you  intend  to  log  out. 

Are  you  sure  you  want  to  sign  out? 


Sign  Out 


Figure  13:  Click  “Sign  Out” 

NOTE:  If  you  do  not  wish  to  log  out,  click  the  “Dashboard”  button  on  the  top  of  the  page  to 
return  to  the  dashboard  page. 

3.  Click  “Sign  Out”. 

4.  The  home  page  displays.  The  “Log  in”  button  appears  on  the  top-right  corner,  which 
means  you  have  logged  out  successfully. 
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SERF 


Log  in 


Register 


moreT 

_ -J 

Malware-driven  Overlooked  REquirements 

This  site  is  meant  to  guide  requirement  engineers  in  identifying  security 
requirements  appropriate  for  their  project.  The  site  focuses  on  exploited 
vulnerabilities  resulting  from  design  flaws.  For  each  new  publicly  posted  exploited 
vulnerability,  contributors  can  identify  and  provide  a  misuse  case,  use  case  and  the 
overlooked  security  requirement(s)  that  created  the  vulnerability.  This  helps 
requirements  engineers  avoid  these  and  potentially  other  vulnerabilities  in  their 
systems.  Please  register  to  use  and  enjoy. 


Register  Now 


Search  CWEs 


Get  MU  Os 


Copyright  ©  2015  SERF*  Alt  rights  reserved. 


Figure  14:  Home  page 


Approve  New  User’s  Registration 

To  approve  a  user’s  registration,  follow  the  steps  below: 

1 .  In  the  dashboard  page,  navigate  to  “Accounts”  ->  “Email  addresses”. 
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2.  In  the  email  address  list,  click  the  email  address  to  be  approved.  The  value  of  the 
“Admin  approval”  of  this  email  should  be  “Pending”. 

3.  In  the  “Change  email  address”  page,  click  “Approve”  to  approve  this  email  address.  (See 
Figure  15.) 


User*  Admin  approval: 

5  ^johndoe  Pending 


E-mail  address* 


jo  h  nd  o  e  @  exa  m  pie .  co  m 

^  Primary  Verified 

Created  at: 

Oct.  3,  2015,  8:36  p.m. 

Modified  at: 

Modified  by: 

Oct.  3, 2015,  8:36  pm 

(None) 

Requested  role' 

Contributor 

A 

T 

Reject 

Approve 

Save  and  continue  editing 

Save 

Figure  15:  Approve  registration  request 

4.  After  the  email  address  is  approved,  the  following  message  displays. 


The  email  address  "johndoe@example.com  (johndoe)"  has  been  approved. 


Figure  16:  Email  approval  message 


5.  The  user  can  now  log  in.  The  user  will  receive  an  email  notification  about  the  approval. 

Alternatively,  follow  the  steps  below  if  you  wish  to  reject  the  registration  of  the  user: 

1 .  In  Step  3,  click  “Reject”. 

2.  Enter  the  reason  for  rejecting  the  user’s  registration  in  the  pop-up  dialog.  (See  Figure 
17.) 
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Rejectjohndoe@examplG.com  (johndoe) 


Figure  17:  Reject  registration  request 


3.  Click  “Reject”. 

4.  The  following  message  displays: 


This  request  has  been  rejected  :  This  is  a  personal  email.  Please  use  an 
organizational  email  to  register. 


Figure  18:  Reason  for  registration  rejection 

5.  The  user  receives  an  email  that  explains  why  the  request  is  rejected. 


Invite  New  User 
Create  an  Invitation 

To  invite  a  new  user  to  use  the  system,  follow  the  steps  below: 

1 .  In  the  admin  dashboard,  navigate  to  “Accounts  Invitation”  ->  “Email  invitations”. 

2.  Click  “Add  email  invitation”. 

3.  In  the  “Email”  textbox,  enter  the  email  address  of  the  user  to  be  invited.  (See  Figure  19.) 
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Add  email  invitation 


Email* 

johndoe@example.com 


Key:  Status: 

Pending 

Created  by:  Created  at: 

(None)  Oct.  3,  2015,  8:58  p.m. 


Send  Invitation 


Figure  19:  Add  email  invitation 


4.  Click  “Send  Invitation”. 

5.  The  email  invitation  list  page  displays  with  a  message  of  success.  (See  Figure  20.) 


The  email  invitation  "tojohndoe@example.com"  was  added  successfully. 


<2015 


□ 

Email 

Created  by 

Created  at 

Status 

□ 

johndoe@example.com 

admin 

Oct.  3, 2015,9:05  p.m. 

Pending 

Figure  20:  Send  email  invitation 


Re-Send  Invitation 

If  the  user  reports  that  no  invitation  email  was  received  or  the  invitation  email  was  deleted  by 
mistake,  you  can  re-send  the  invitation  email.  To  re-send,  follow  the  steps  below: 

1 .  In  the  admin  dashboard,  navigate  to  “Accounts  Invitation”  ->  “Email  invitations”. 

2.  In  the  email  list,  click  the  email  through  which  the  owner  is  invited. 

3.  In  the  “Change  email  invitation”  page,  click  “Re-Send  Invitation”. 

4.  The  email  invitation  list  page  will  display  with  a  message  of  successful  re-send.  (See 
Figure  21 .) 
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The  email  invitation  "tojohndoe@example.com"  was  changed  successfully. 


<2015 


□ 

Email 

Created  by 

Created  at 

Status 

□ 

johndoe@example.com 

admin 

Oct.  3, 2015,  9:05  p.m. 

Pending 

Figure  21:  Successful  invitation  re-send 


Access  Rights  Management 

Group  Management 

To  add  a  group,  follow  the  steps  below: 

1 .  In  the  admin  dashboard,  navigate  to  “Authentication  and  Authorization”  ->  “Groups”. 

2.  In  the  group  list  page,  click  “Add  group”. 

3.  In  the  “Add  group”  page,  enter  the  group  name. 

4.  In  the  “Permissions”  list  box,  select  the  permissions  that  should  be  assigned  to  the 
group.  (See  Figure  22.) 

Permissions 


Available  permissions© 

|  Filter 

ewe 

ewe 

Category 

Category 

Can  add  Category 

Can  change  Category 

ewe 

Category 

Can  delete  Category 

ewe 

Category 

Can  view  Category 

Figure  22:  Select  permissions 


5.  Click  the  right  arrow  to  assign  the  selected  permissions  to  the  user.  (See  Figure  23.) 
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Before 

permission 

assignment: 


Permissions 


Available  permissions © 


Choose  all 


After  permission 
assignment: 


Chosen  permissions© 
ewe  |  Category  |  Can  add  Category 
ewe  |  Category  |  Can  change  Category 
ewe  |  Category  |  Can  view  Category 


Figure  23:  Select  permissions 


6.  If  a  user  should  be  automatically  assigned  to  this  group,  choose  one  or  more  of  the 
following: 

a.  Auto  Assign:  This  group  will  be  automatically  assigned  to  any  registered  user. 

b.  Auto  Assign  to  Clients:  This  group  will  be  automatically  assigned  to  any 
registered  clients. 

c.  Auto  Assign  to  Contributors:  This  group  will  be  automatically  assign  to  any 
registered  contributor. 

7.  Click  “Save”  to  save  the  permission  assignment. 


To  modify  a  group’s  configuration,  follow  the  steps  below: 

1 .  In  the  admin  dashboard,  navigate  to  “Authentication  and  Authorization”  ->  “Groups”. 

2.  In  the  group  list  page,  click  the  group  name. 

3.  Modify  the  permissions  or  the  automatic  assignment  options  as  described  above. 

4.  Click  “Save”  to  save  the  modifications. 


User  Management 

To  manage  the  user’s  permissions,  follow  the  steps  below: 

1 .  In  the  admin  dashboard,  navigate  to  “Authentication  and  Authorization”  ->  “Users”. 

2.  In  the  user  list  page,  click  the  user’s  name. 
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3.  In  the  “Change  user”  page,  scroll  down  to  the  “Permissions”  section. 

4.  In  the  “User  permissions”  list  box,  select  the  permissions  that  should  be  assigned  to  the 
user.  (See  Figure  24.) 

User  permissions 


Available  user  permissions© 

|  Filter 

ewe 

ewe 

Category 

Category 

Can  add  Category 

Can  change  Category 

ewe 

Category 

Can  delete  Category 

ewe 

Category 

Can  view  Category 

Figure  24:  Change  user  permissions 


5.  Click  the  right  arrow  to  assign  the  selected  permissions  to  the  user.  (See  Figure  25.) 

User  permissions 


Available  user  permissions  © 


Choose  all  © 

Figure  25:  Before  permission  assignment 

Chosen  user  permissions© 
ewe  |  Category  |  Can  add  Category 
ewe  |  Category  |  Can  change  Category 
ewe  |  Category  |  Can  view  Category 


Choose  all  ©  £*  Remove  all 

Q 

Figure  26:  After  permission  assignment 

6.  Click  “Save”  to  save  the  permission  assignment. 
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Site  Management 

To  manage  the  site  information,  follow  the  steps  below: 

1 .  In  the  admin  dashboard,  navigate  to  “Sites”  ->  “Sites”. 

2.  Click  “Add  site”. 

3.  In  the  “Add  site”  page, 

a.  In  “Domain  name”,  enter  the  public  domain  name  of  the  website. 

b.  In  “Display  name”,  enter  a  more  user-friendly  name  to  make  it  easier  for  the 
users  to  recognize  the  website.  This  name  will  also  be  used  in  the  emails  that  are 
automatically  sent  to  users.  (See  Figure  27.) 

Add  site  = 


Domain  name* 
http://localhost:8000 


Display  name* 


EnhancedCWE  official  website 


Save  and  add  another 


Save  and  continue  editing 


Save 


Figure  27:  Add  site 


4.  Click  “Save”  to  save  the  site  information. 

NOTE:  Please  do  not  add  multiple  pieces  of  site  information.  If  multiple  sites  are  added,  only  the 
most  recently  added  one  will  be  used. 


CMU/SEI-201 6-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY 
Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


87 


CMU/SEI-2016-SR-002  |  SOFTWARE  ENGINEERING  INSTITUTE  |  CARNEGIE  MELLON  UNIVERSITY  88 

Distribution  Statement  A:  Approved  for  Public  Release;  Distribution  is  Unlimited 


REPORT  DOCUMENTATION  PAGE 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions, 
searching  existing  data  sources,  gathering  and  maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments 
regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information,  including  suggestions  for  reducing  this  burden,  to  Washington 
Headquarters  Services,  Directorate  for  information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington,  VA  22202-4302,  and  to 
the  Office  of  Management  and  Budget,  Paperwork  Reduction  Project  (0704-0188),  Washington,  DC  20503. 

1.  AGENCY  USE  ONLY  2.  REPORT  DATE 

(Leave  Blank)  June  2016 

3.  REPORT  TYPE  AND  DATES 

COVERED 

Final 

4.  TITLE  AND  SUBTITLE 

Report  Writer  and  Security  Requirements  Finder:  User  and  Admin  Manuals 

5.  FUNDING  NUMBERS 

FA8721-05-C-0003 

6.  AUTHOR(S) 

Nancy  R.  Mead;  CMU  MSE  Studio  Team:  Sankalp  Anand,  Anurag  Gupta,  Swati  Priyam,  Yaobin  Wen,  Walid  El  Baroni 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Software  Engineering  Institute 

Carnegie  Mellon  University 

Pittsburgh,  PA  15213 

8.  PERFORMING  ORGANIZATION 
REPORT  NUMBER 

C  M  U/S  El-201 6-S  R-002 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

AFLCMC/PZE/Hanscom 

Enterprise  Acquisition  Division 

20  Schilling  Circle 

Building  1305 

Hanscom  AFB,  MA  01 731 -21 16 

10.  SPONSORING/MONITORING 

AGENCY  REPORT  NUMBER 

n/a 

11.  SUPPLEMENTARY  NOTES 

12a  DISTRIBUTION/AVAILABILITY  STATEMENT 

Unclassified/Unlimited,  DTIC,  NTIS 

12b  distribution  code 

1 3.  ABSTRACT  (MAXIMUM  200  WORDS) 

This  report  presents  instructions  for  using  the  Malware-driven  Overlooked  Requirements  (MORE)  website  applications.  The  site  enables 
requirements  engineers  and  architects  to  bring  the  benefit  of  malware  attack  analysis  to  their  own  product  development.  They  can 
examine  reports  of  exploited  vulnerabilities,  frequently  augmented  by  relevant  misuse  cases,  use  cases,  and  overlooked  security 
requirements  (MUO)  that  site  contributors  have  posted.  From  this  data  they  can  search  the  site  to  identify  security  requirements  suitable 
to  their  own  projects.  They  can  also  contribute  related  content  and  new  reports. 

Users  can  interact  with  the  site  through  two  applications  documented  here.  The  Security  Requirement  Finder  (SERF)  allows  site 
contributors  to  build  on  malware  exploit  reports,  add  MUOs  while  referencing  Common  Weakness  Enumeration  (CWE).  The  Report 
Writer  application  connects  to  SERF  and  aids  contributors  in  adding  MUOs  to  the  exploit  reports. 

Instructions  on  performing  these  activities  in  both  applications  are  presented  here,  as  well  as  guides  for  performing  administrative  tasks 
associated  with  the  applications. 
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